Roles to support lowest privilege


I'd like to have a user configured in kibana/elastic that has limited permissions. In this case the user should be able to insert data into elastic.

I believe that this will require a role. What I do not understand, cannot find are the permissions to attach to the role to give the required permissions?


If you open the "Create role" UI (stack management > roles the "create role" button, you can attach Elasticsearch and Kibana privileges to the role:

The you will need to attach this role to a user to give them the privileges. Keep in mind that they are always additive, this means if a user has two roles, one with all privileges and one without any, they will be able to do everything because the two sets of privileges are merged.

Is this documented anywhere? or can someone define what the minimum required permissions are?

There are no "minimum permissions" - you can freely configure what parts of Kibana and Elasticsearch are accessible for a user. The documentation can be found here: Security | Kibana Guide [7.15] | Elastic

maybe I am not being clear. I need to know what the minimum permission requirements are such that the user that uses that role would be able to insert data into elastic but nothing more.

So consider an empty elastic data store.

I add some metrics in metricbeat, the user configured in metricbeat then connects into elastic and inserts that data without error. I however cannot use that user to query those metrics. Ie least privilege.

What I do not understand and cannot find as the permissions that I add to a role that would meet this scenario.

I didn't understand the setup section in the docs but created a role and a user and it seems to be happily populating elastic, so thanks for the link. I can now do the same for the other beats, and I assume logstash.

This morning I am getting an error
[publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(Elasticsearch(...): Connection marked as failed because the onConnect callback failed: error loading template: failed to load template: couldn't load template: 403 Forbidden:...... this action is granted by the cluster privileges manage_index_templates,manage,all]"}]

This wasn't in your instructions, so what am I missing/mis understanding?

What does your filebeat config look like?

Did you run setup again, that error says that it could not load the template.
Which if you wanted to be very explicit would be the setup role.

But I suspect you still have template loading enabled (which after you run setup once you could disable) or you could disable template loading which many do for the actual beats running .. this prevents accidental overwriting of the template...

setup.template.enabled : false

So the Meta Process
Assuming you want all the least privelege

Intall Metricbeat
Configure for setup
Run Setup With The Setup User Roles on 1 host

Deploy to other host with template loading disable
setup.template.enabled : false
Run these with the publishing role.

Right think of setup as Admin

Then all the others will run as publisher... but you need to turn off the template loading.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.